U.S. Department of Commerce NOAA Privacy Impact Assessment for the Southeast Fisheries Science Center (SEFSC) NOAA4400 Reviewed by:, Bureau Chief Privacy Officer Concurrence of Senior Agency Official for Privacy/DOC Chief Privacy Officer Non-concurrence of Senior Agency Official for Privacy/DOC Chief Privacy Officer Catrina D. Purvis Digitally signed by Catrina D. Purvis DN: cn=catrina D. Purvis, o=office of the Secretary, Office of Privacy and Open Government, ou=us Department of Commerce, email=cpurvis@doc.gov, c=us Date: 2016.06.21 10:43:49-04'00' Signature of Senior Agency Official for Privacy/DOC Chief Privacy Officer Date
U.S. Department of Commerce Privacy Impact Assessment NOAA4400 - Southeast Fisheries Science Center (SEFSC) Network Unique Project Identifier: NOAA4400 Introduction: System Description The Southeast Fisheries Science Center (SEFSC) conducts multi-disciplinary research programs to provide management information to support national and regional programs of NOAA's National Marine Fisheries Service (NMFS) and to respond to the needs of Regional Fishery Management Councils, Interstate and International Fishery Commission, Fishery Development Foundations, government agencies, and the general public. The Southeast Fisheries Science Center (SEFSC) is headquartered in Miami, FL. The SEFSC is responsible for scientific research on living marine resources that occupy marine and estuarine habits of the continental southeastern United States, as well as Puerto Rico and the U.S. Virgin Islands. The SEFSC is one of the six national marine fishery science centers responsible for federal marine fishery research programs. The Science: In general, SEFSC develops the scientific information required for: Fishery resource conservation Fishery development and utilization Habitat conservation Protection of marine mammals and endangered marine species The Research: Impact analyses and environmental assessments for management plans and international negotiations are also prepared, and research is pursued to address specific needs in: Population dynamics Fishery biology Fishery economics Engineering and gear development Protected species biology NOAA4400 has a Fisheries Logbook System (FLS) which collects vessel and captain s names, numbers of each species caught, the numbers of animals retained or discarded alive or discarded dead, the location of the set, the types and size of gear, the duration of the set, port of departure and return, unloading dealer and location, number of sets, number of crew, date of departure and landing, and an estimate of the fishing time. 1
The legal authorities for collection of information addressed in this PIA are: 5 U.S.C. 301 authorizes the operations of an executive agency, including the creation, custodianship, maintenance and distribution of records. Magnuson-Stevens Fishery Conservation and Management Act, 16 U.S.C. 1801 et seq (MSA) authorizes the collection of logbook information. NOAA4400 shares information only within the bureau. This is a moderate impact system. Section 1: Status of the Information System 1.1 Indicate whether the information system is a new or existing system. This is a new information system. This is an existing information system with changes that create new privacy risks. (Check all that apply.) Changes That Create New Privacy Risks (CTCNPR) a. Conversions d. Significant Merging g. New Interagency Uses b. Anonymous to Non- Anonymous e. New Public Access h. Internal Flow or Collection c. Significant System Management Changes f. Commercial Sources i. Alteration in Character of Data j. Other changes that create new privacy risks (specify): This is an existing information system in which changes do not create new privacy risks. Section 2: Information in the System 2.1 Indicate what personally identifiable information (PII)/business identifiable information (BII) is collected, maintained, or disseminated. (Check all that apply.) Identifying Numbers (IN) a. Social Security* e. File/Case ID i. Credit Card b. Taxpayer ID f. Driver s License j. Financial Account c. Employer ID g. Passport k. Financial Transaction d. Employee ID h. Alien Registration l. Vehicle Identifier m. Other identifying numbers (specify): *Explanation for the need to collect, maintain, or disseminate the Social Security number, including truncated form: 2
General Personal Data (GPD) a. Name g. Date of Birth m. Religion b. Maiden Name h. Place of Birth n. Financial Information c. Alias i. Home Address o. Medical Information d. Gender j. Telephone Number p. Military Service e. Age k. Email Address q. Physical Characteristics f. Race/Ethnicity l. Education r. Mother s Maiden Name s. Other general personal data (specify): Work-Related Data (WRD) a. Occupation d. Telephone Number g. Salary b. Job Title e. Email Address h. Work History c. Work Address f. Business Associates i. Other work-related data (specify): Distinguishing Features/Biometrics (DFB) a. Fingerprints d. Photographs g. DNA Profiles b. Palm Prints e. Scars, Marks, Tattoos h. Retina/Iris Scans c. Voice f. Vascular Scan i. Dental Profile Recording/Signatures j. Other distinguishing features/biometrics (specify): System Administration/Audit Data (SAAD) a. User ID c. Date/Time of Access e. ID Files Accessed b. IP Address d. Queries Run f. Contents of Files g. Other system administration/audit data (specify): Other Information (specify): NOAA4400 has a Fisheries Logbook System (FLS) which collects vessel and captains names, numbers of each species caught, the numbers of animals retained or discarded alive or discarded dead, the location of the set, the types and size of gear, the duration of the set, port of departure and return, unloading dealer and location, number of sets, number of crew, date of departure and landing, and an estimate of the fishing time. 2.2 Indicate sources of the PII/BII in the system. (Check all that apply.) Directly from Individual about Whom the Information Pertains In Person Hard Copy: Mail/Fax Online Telephone Email 3
Government Sources Within the Bureau Other DOC Bureaus Other Federal Agencies State, Local, Tribal Foreign Other (specify Non-government Sources Public Organizations Private Sector Commercial Data Brokers Third Party Website or Application 2.3 Indicate the technologies used that contain PII/BII in ways that have not been previously deployed. (Check all that apply.) Technologies Used Containing PII/BII Not Previously Deployed (TUCPBNPD) Smart Cards Biometrics Caller-ID Personal Identity Verification (PIV) Cards There are not any technologies used that contain PII/BII in ways that have not been previously deployed. Section 3: System Supported Activities 3.1 Indicate IT system supported activities which raise privacy risks/concerns. (Check all that apply.) Activities Audio recordings Video surveillance Building entry readers Electronic purchase transactions There are not any IT system supported activities which raise privacy risks/concerns. Section 4: Purpose of the System 4.1 Indicate why the PII/BII in the IT system is being collected, maintained, or disseminated. (Check all that apply.) Purpose To determine eligibility For administering human resources programs For administrative matters To promote information sharing initiatives For litigation For criminal law enforcement activities For civil enforcement activities For intelligence activities 4
To improve Federal services online For employee or customer satisfaction For web measurement and customization For web measurement and customization technologies (single-session ) technologies (multi-session ) BII is collected for regulatory requirements with respect to fisheries regulations per MSA. Section 5: Use of the Information 5.1 In the context of functional areas (business processes, missions, operations, etc.) supported by the IT system, describe how the PII/BII that is collected, maintained, or disseminated will be used. Indicate if the PII/BII identified in Section 2.1 of this document is in reference to a federal employee/contractor, member of the public, foreign national, visitor or other (specify). NOAA4400 collects PII (captain s name) and BII from logbooks for the purposes of regulating the applicable fisheries. This information is maintained locally within NOAA4400 system and is used only for research and regulatory purposes. This information is collected from members of the public and shared only within the bureau. Section 6: Information Sharing and Access 6.1 Indicate with whom the bureau intends to share the PII/BII in the IT system and how the PII/BII will be shared. (Check all that apply.) Recipient Within the bureau DOC bureaus Federal agencies State, local, tribal gov t agencies Public Private sector Foreign governments Foreign entities How Information will be Shared Case-by-Case Bulk Transfer Direct Access The PII/BII in the system will not be shared. 6.2 Indicate whether the IT system connects with or receives information from any other IT systems authorized to process PII and/or BII. Yes, this IT system connects with or receives information from another IT system(s) authorized to process PII and/or BII. Provide the name of the IT system and describe the technical controls which prevent PII/BII leakage: 5
No, this IT system does not connect with or receive information from another IT system(s) authorized to process PII and/or BII. 6.3 Identify the class of users who will have access to the IT system and the PII/BII. (Check all that apply.) Class of Users General Public Government Employees Contractors Section 7: Notice and Consent 7.1 Indicate whether individuals will be notified if their PII/BII is collected, maintained, or disseminated by the system. (Check all that apply.) Yes, notice is provided pursuant to a system of records notice published in the Federal Register and discussed in Section 9. Yes, notice is provided by a Privacy Act statement and/or privacy policy. The Privacy Act statement and/or privacy policy can be found at: (on letters to permit holders, see below). Yes, notice is provided by other means. Specify how: Notice is given on letters to permit holders explaining permit-related responsibilities. No, notice is not provided. Specify why not: 7.2 Indicate whether and how individuals have an opportunity to decline to provide PII/BII. Yes, individuals have an opportunity to decline to provide PII/BII. No, individuals do not have an opportunity to decline to provide PII/BII. Specify how: Fishermen may decline to provide PII/BII, by not completing their logbooks, but this information is required under the MSA and also is needed to maintain their permits. Specify why not: 7.3 Indicate whether and how individuals have an opportunity to consent to particular uses of their PII/BII. 6
Yes, individuals have an opportunity to consent to particular uses of their PII/BII. No, individuals do not have an opportunity to consent to particular uses of their PII/BII. Specify how: The only uses of the logbook information are research and regulatory purposes. Consent to these uses is implied by completion of the logbook. Specify why not: 7.4 Indicate whether and how individuals have an opportunity to review/update PII/BII pertaining to them. Yes, individuals have an opportunity to review/update PII/BII pertaining to them. No, individuals do not have an opportunity to review/update PII/BII pertaining to them. Specify how: Fishermen may contact NOAA4400 offices (the contact information is on the logbook forms) and ask to review their own logbook data. Specify why not: Section 8: Administrative and Technological Controls 8.1 Indicate the administrative and technological controls for the system. (Check all that apply.) All users signed a confidentiality agreement or non-disclosure agreement. All users are subject to a Code of Conduct that includes the requirement for confidentiality. Staff (employees and contractors) received training on privacy and confidentiality policies and practices. Access to the PII/BII is restricted to authorized personnel only. Access to the PII/BII is being monitored, tracked, or recorded. Explanation: Monitoring is performed by using an encrypted oracle warehouse application that keeps the record of all logins. Only authorized users have access to confidential data. The information is secured in accordance with FISMA requirements. Provide date of most recent Assessment and Authorization (A&A): 03/10/2016 This is a new system. The A&A date will be provided when the A&A package is approved. The Federal Information Processing Standard (FIPS) 199 security impact category for this system is a moderate or higher. NOAA4400 has been categorized as MODERATE. NIST Special Publication (SP) 800-122 and NIST SP 800-53 Revision 4 Appendix J recommended security and privacy controls for protecting PII/BII are in place and functioning as intended; or have an approved Plan of Action and Milestones (POAM). Contractors that have access to the system are subject to information security provisions in their contracts required by DOC policy. Contracts with customers establish ownership rights over data including PII/BII. 7
Acceptance of liability for exposure of PII/BII is clearly defined in agreements with customers. 8.2 Provide a general description of the technologies used to protect PII/BII on the IT system. The potential risk of inappropriate disclosure and/or unauthorized disclosure is mitigated by limiting the number of authorized system users, providing initial and annual system security training, monitoring authorized user activity, automatic and immediate notification of unauthorized system access or usage to the system administrator, documenting user violations, and gradually increasing user reprimands for system violations ranging from a verbal warning with refresher security training to denial of system access. Logbook data when entered is put into our Oracle Database server using Oracle Linux with Oracle VMWare OS layer. This system uses the native Oracle DB encryption method. The only way to read data on the Oracle DB is to first have access by authenticating from within the SEFSC LAN. Accessing the raw at rest data provides only unintelligible data. The information is secured via both administrative and technological controls. BII is stored on shared drives that require CAC for access. The principle of least privilege and separation of duties is implemented by SEFSC to ensure that only personnel with the need to know have access to this information. All NOAA4400 personnel and contractors are instructed on the confidential nature of this information. Through acknowledgement of the NOAA rules of behavior, account request agreements etc. all users are instructed to abide by all statutory and regulatory data confidentiality requirements, and will only release the data to authorized users. Buildings employ security systems with locks and access limits. Only those that have the need to know, to carry out the official duties of their job, have access to the data. Computerized data base is password protected, and access is limited. Paper records are maintained in secured file cabinets in areas that are accessible only to authorized personnel of NOAA4400. Section 9: Privacy Act 9.1 Indicate whether a system of records is being created under the Privacy Act, 5 U.S.C. 552a. (A new system of records notice (SORN) is required if the system is not covered by an existing SORN). As per the Privacy Act of 1974, the term system of records means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. Yes, this system is covered by an existing system of records notice (SORN). Provide the SORN name and number (list all that apply): NOAA-6, Fishermen s Statistical Data Yes, a SORN has been submitted to the Department for approval on (date). No, a SORN is not being created. 8
Section 10: Retention of Information 10.1 Indicate whether these records are covered by an approved records control schedule and monitored for compliance. (Check all that apply.) There is an approved record control schedule. Provide the name of the record control schedule: Chapter 1500: 1505-11 and 1507-11 No, there is not an approved record control schedule. Provide the stage in which the project is in developing and submitting a records control schedule: Yes, retention is monitored for compliance to the schedule. No, retention is not monitored for compliance to the schedule. Provide explanation: 10.2 Indicate the disposal method of the PII/BII. (Check all that apply.) Disposal Shredding Overwriting Degaussing Deleting Section 11: NIST Special Publication 800-122 PII Confidentiality Impact Levels 11.1 Indicate the potential impact that could result to the subject individuals and/or the organization if PII were inappropriately accessed, used, or disclosed. Low the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. Moderate the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. High the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. 11.2 Indicate which factors were used to determine the above PII confidentiality impact levels. (Check all that apply.) Identifiability Provide explanation: Quantity of PII Provide explanation: Minimal PII in logbooks, i.e. Captain s name 9
Data Field Sensitivity Provide explanation: Fishing location information. Context of Use Provide explanation: Information collected is for granted system accounts which include business information to support NMFS s mission. Obligation to Protect Confidentiality Provide explanation: MSA Section 402b. Access to and Location of PII Provide explanation: Restricted access. Other: Provide explanation: Section 12: Analysis 12.1 Indicate whether the conduct of this PIA results in any required business process changes. Yes, the conduct of this PIA results in required business process changes. Explanation: There is now a Privacy Act Statement on letters to permit holders that describe permit-related responsibilities. No, the conduct of this PIA does not result in any required business process changes. 12.2 Indicate whether the conduct of this PIA results in any required technology changes. Yes, the conduct of this PIA results in required technology changes. Explanation: No, the conduct of this PIA does not result in any required technology changes. 10
Version Number: 01-2016 Points of Contact and Signatures Information System Security Officer or System Owner Name: Tyree Davis Office: SEFSC Phone: 3053614564 Email: tyree.davis@noaa.gov I certify that this PIA is an accurate representation of the security controls in place to protect PII/BII processed on this IT system. DAVIS.TYREE. T.1365868596 Digitally signed by DAVIS.TYREE.T.1365868596 Signature: DN: c=us, o=u.s. Government, ou=dod, ou=pki, ou=other, cn=davis.tyree.t.1365868596 Date: 2016.06.02 16:03:52-04'00' Date signed: Authorizing Official Name: Theo Brainerd Office: SEFSC Phone: 3053614284 Email: theo.brainerd@noaa.gov I certify that this PIA is an accurate representation of the security controls in place to protect PII/BII processed on this IT system. Digitally signed by THOMPSON. THOMPSON.PETER.G.DR.1365826 931 DN: c=us, o=u.s. Government, Signature: PETER.G.DR. ou=dod, ou=pki, ou=other, cn=thompson.peter.g.dr.1365 826931 Date signed: 1365826931 Date: 2016.06.06 15:19:27-04'00' Information Technology Security Officer Richard Miner Name: Office: NFMS Phone: (301) 427-8813 Email: Bill.Stearn@noaa.gov I certify that this PIA is an accurate representation of the security controls in place to protect PII/BII processed on this IT system. MINER.RICHARD.SCO Signature: TT.1398604519 2016.06.08 14:43:35 Date signed: -04'00' Bureau Chief Privacy Officer Name: Office: Phone: Email: I certify that the PII/BII processed in this IT system is necessary, this PIA ensures compliance with DOC policy to protect privacy, and the Bureau/OU Privacy Act Officer concurs with the SORNs and authorities cited. Digitally signed by GRAFF.MARK.HYR GRAFF.MARK.HYRUM.1514447892 DN: c=us, o=u.s. Government, ou=dod, ou=pki, ou=other, cn=graff.mark.hyrum.1514447892 Signature: UM.1514447892 Date: 2016.06.08 15:14:22-04'00' Date signed: This page is for internal routing purposes and documentation of approvals. Upon final approval, this page must be removed prior to publication of the PIA.